Shulou(Shulou.com)06/03 Report--

SSH remote control and access details

SSH is a secure channel protocol, which is mainly used to realize remote login and remote replication of character interface. SSH protocol encrypts the data transmission between the two sides of the communication, including the user password entered when the user logs in. Compared with the early applications such as Telent, RSH, RCP, SSH protocol provides better security.

I. basic configuration of sshd

Now that we are using the XShell to connect to the server, the sshd service should be running, so let's look at it with the "netstat-ntap | grep 22" command.

Let's go to the configuration file of sshd and learn more about some of the configuration lines.

Port 22: listening port number

ListenAddress 0.0.0.0: listening address

LoginGraceTime 2m: login authentication time is 2 minutes

PermitRootLogin yes: allow root users to log in

MaxAuthTries 6: the maximum number of retries when verifying login is 6

MaxSessions 10: maximum number of connections accessed

PubkeyAuthentication yes: enable key verification

Open port 22 (remove the "#" sign at the beginning of the line)

Enter the command "systemctl restart sshd" to restart the sshd service

Let's use another server, test02, to remotely control the server test01.

Cd / opt/ (go to test01's opt directory in the case of a test02 remote connection)

Touch aaa.txt (and created the file aaa.txt successfully)

Ls (check whether the file was created successfully)

Cd / opt/ (return to test01 and enter the opt directory)

Ls (view the result of remote creation)

But after all, the authority of root is too high, anyone can connect remotely, and the security risk is inevitably too high. So let's set up root users to disable login.

First go to the sshd configuration file and modify the configuration line PermitRootLogin no (root users are not allowed to log in)

Systemctl restart sshd (restart sshd service)

Create a new user tom

Useradd tom (create user tom)

Passwd tom (set password)

At this point, we type "ssh root@192.168.131.133" on another server, and root can no longer log in.

But there are more ways than being sleepy. We can try the tom user login before switching to root.

Ssh tom@192.168.131.133

Su-root

So banning root users from logging in alone won't completely solve our security risks.

We can enter the pam.d module to make relevant security modifications. (vim / etc/pam.d/su)

Start the wheel group and delete the "#" sign at the beginning of the line

From the above, we can know that user tom does not belong to the wheel group, so at this time, the wheel group can no longer be switched to root assistant at will, and only users belonging to the wheel group can switch to root users, which undoubtedly increases our server security factor.

In order to prevent cracking, we can also set the maximum number of retries for our authentication login. We first go to the sshd configuration file to open the configuration line for the maximum number of authentication (remove the "#" at the beginning of the line).

Remember to restart the service after modifying the configuration file. "systemctl restart sshd"

However, when we actually verified, we found that our settings did not work because the default maximum number of validations for the server was 3.

For the configuration to work, we need to execute the command "ssh-o NumberOfPasswordPrompts=8 fan@192.168.131.133".

In order to further enhance our server security, we can also set up blacklist and whitelist.

AllowUsers user 1 user 2 (users allowed to log in)

Or DenyUsers user 1, user 2 (forbidden user)

The two commands cannot be used at the same time, and the user's login address can be restricted at the same time.

Let's take the whitelist AllowUsers as an example.

Add the configuration line "AllowUsers fan@192.168.131.129 jerry" to the configuration file of sshd (allow the user fan to log on to the server of the fixed ip, and allow the user jerry to log on to all servers).

Ssh fan@192.168.131.133 (fan users can log in)

Ssh jerry@192.168.131.133 (jerry users can log in)

Ssh tom@192.168.131.133 (tom users cannot log in)

Only users on the whitelist can log in.

II. Login with sshd key pair

Open the key verification configuration line "PubkeyAuthentication yes".

At this point, there is no configuration file for the key in our server user directory.

Go to the customer order to create a new user kefu.

Create the secret key "ssh-keyqen-t ecdsa" on the client side

Enter the password for secret key authentication: define it yourself

Ls (check whether the key file is created successfully)

Ssh-copy-id-I id-ecdsa.pub fan@192.168.131.133 (push the key file to the server)

Yes (confirm push)

Enter the login password of user fan

At this point, we can find the .ssh key file in the user fan's home directory.

Now we can try to log in using the key, and the password of the login authentication method is the key pair password we just set.

For commonly used users, we can also set them password-free login: ssh-agent bash

Ssh-add

Enter key pair password

In the future, our kefu users can log in to the remote server without a password.

3. Scp, sftp command program

Create the document "ssh_client" and the folder "test" on the client side

Then we copy the document tssh_client and folder test remotely to the server.

Go to the server and directory to view the replication result

Document management of the client remote interaction server using the command "sftp root@192.168.131.133"

Get ssh_client: you can download the document ssh_client from a remote server.

Up ssh_server: you can upload the document ssh_server to the server remotely.

IV. Access policy of TCP Wrappers

The protection object of the TCP Wrappers mechanism is various network service programs, which are aimed at the client address of the access service.

access control. The corresponding two policy files are / etc/hosts.allow and / etc/hosts.deny, which are used to set permission, respectively.

The strategy of permission and rejection.

With regard to the access policy of the TCP Wrappers mechanism, the following order and principles are followed when applied: first, check the / etc/hosts.allow document, if a matching policy is found, then allow access; otherwise, continue to check the / etc/hosts.deny file, if a matching policy is found, access will be denied If you check that neither of the above files finds a matching policy, access is allowed.

Only want to access the sshd service from the host with IP address 192.168.131.129, other addresses are rejected, you can do the following

Vim / etc/hosts.allow (enter whitelist policy file)

Sshd:192.168.131.129 (enter the host IP for which login is allowed)

: wq (save and exit)

Vim / etc/hosts.deny (enter blacklist policy file)

Sshd:ALL (all prohibited)

: wq (save and exit)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.